IronKey Secure Flash Drive Review

Being a self-confessed gadget freak, I’ve collected a large number of USB flash drives over the past few years and like most people, I use them for many purposes; storing pictures, documents, presentations, applications… you name it, it’ll be saved to one of my flash drives.

They are of course extremely handy, everyone knows that. No bigger than a packet of gum, relatively cheap, nearly all are able to fit in your pocket or gear bag and with some manufacturers offering devices that can hold up to 256Gb of data, who doesn’t own one?! However, have you ever thought about how secure this data is if you accidentally misplaced your flash drive? I’ll be honest and say I have actually thought about it, but failed to look into it properly….. until now.

Back in 2009 I read about IronKey, who looked at the security of flash drives and then took it to a whole new level. The security offered is simply unparalleled compared to other USB flash drives that offer security to protect data. To be honest, the security each key provides maybe a little over the top for the average user and is probably more suited to people who need to carry important data linked to government systems, corporate information or secret military files.

However, if you value your data, whatever it might be, then an IronKey is the flash drive for you.

For the purpose of the review I was sent the 1GB S200 IronKey Personal. This particular version is the mid-range flash drive, sitting between the IronKey Basic and the more beefed up IronKey Enterprise. The level of security remains the same across the whole range.

Hardware Encryption

As you can see from the specifications, this tamper proof, waterproof, crushproof, military grade flash drive isn’t just any ordinary flash drive! So, lets take a closer look.

What’s in the box?

The IronKey arrived in a rather stylish black box, compared to most flash drives that are packed in plastic cases that are generally too big for them. Inside the box you get your IronKey, an easy to read instruction booklet and a small lanyard so you can attach your IronKey to your keychain.

The IronKey in display box, along with the instruction booklet and lanyard

Features

Build Quality

The first thing you’ll notice about the IronKey is just how tough it is. Even just holding it, you can tell its solid metal casing means business. The military grade material which contains iron and alloy, amongst other things, is then filled with a hardened epoxy compound, literally encasing the chips and processors inside. There is a small but bright multi-colour LED, showing data access, and, as mentioned it’s fully waterproof, again to military standards (MIL-STD-810F).

The robust IronKey 1Gb S200 Personal

IronKey also claim to have tested how robust it is by attempting to crush it with a car! They failed and the Ironkey stood up to the test. So, we know it’s built well, but what about the security side of things?

Security

IronKey have spent millions of dollars on the research and development of their flash drives and claim to have the only flash drive which has passed the level 3 FIPS (Federal Information Processing Standard) 140-2. This means that the IronKey has the highest level of security placed into a flash drive…. ever. The level three tests that were carried out included looking at how robust the flash drive was and also how data is secured once it’s stored in the memory. The on-board ‘Cryptochip’, which is basically a mini processor, provides AES 256-bit hardware-based encryption to anything saved to the keys memory. So, when it’s inserted into a computer, if the user is unable to provide the correct password that was used in the setup process, they cannot access the data. Simple.

Be careful here though, as if you input the incorrect password 10 times, the key will ‘self destruct’ (not literally explode however!) and destroy all the data held in its memory. The self destruct sequence will also occur if the key detects a physical attack IronKey advise should this occur then the key itself is then fully disabled and cannot be used again. I took the option to save my chosen password during the setup process at the IronKey Password Website, which allows you to retrieve your password should you ever forget it.

Use

When you first plug the IronKey into your PC you’re prompted with a setup screen to intialise your key. Without doing this your key is pretty much useless to be honest, as it appears only as a read-only drive in Windows. During setup you’re asked to provide a nickname for your key and then a password, which you can store at the secure data-center, just in case you forget it! And, unlike some passwords for systems, the IronKey allows numbers, letters, special characters and spaces!

Don’t worry though, not even IronKey personnel can access this information. And, as the key contains all the software it needs, nothing is installed locally to your computer during the setup process.

Once setup is complete you can then create an IronKey account by registering the keys serial number (As each key is completely unique) to the database held by IronKey. This only takes a few seconds to finalise, then your key is ready for use. Thereafter, each time you plug the key into your computer, you’ll be prompted to unlock it with the password you registered before you can use it.

At the unlock screen, you can actively choose to view any files stored on the key, unlock the key in read-only mode, login to your on-line IronKey account, or open the IronKey Control Panel.

The control panel is the hub of information for the IronKey and allows you to perform various functions, such as browse the data saved on the key, perform a secure backup of the keys data to a location on your PC or add any personal data such as owner information. The control panel application itself is very easy to use.

Once in use, the key operates very efficiently and quickly. I transferred data to the key (Which took around 30 seconds for a 500Mb batch of jpegs) and used the secure backup feature to create a backup file. I can use this encrypted data file and restore it to a new key, should my current one be lost or stolen.

Once you’re finished using the key, you lock it using the ‘Lock Drive’ button on the control panel, or by pressing CTRL+L on your keyboard (‘Lock & Quit’ on a Mac). The software shuts down and the key can be safely removed.

Secure Web Browsing

IronKey have even gone one step further with the key, as it also allows you to browse the web using its built-in FireFox browser. This can be used by simply clicking the Mozilla Firefox icon in the control panel. The browser opens a secure internet connection and connects to the web using the IronKey Secure Session Service. The service uses high performance ‘Tor’ (The Onion Router) servers to enable a fast and secure browsing experience. This prevents hackers from obtaining your IP address or any useful information, such as banking details or information relating to your PayPal or EBay accounts. Basically, you can browse the internet securely and anonymously on any PC and unplug the IronKey, safe in the knowledge there is no trace of your web browsing stored anywhere for other people to see.

Identity Manager

When you use either IE or Firefox (or even another browser) with the key plugged into your system and you enter a website that requires personal details to be entered, i.e. username/password, you can store these automatically using the IronKey’s Identity Manager, which helps prevent key loggers from accessing your passwords. The Identity Manager can also be accessed using the new keyhole icon, which will show in your browsers toolbar when you have your IronKey running. Simply click the icon for a drop down menu of functions available to you.

And, as well as these features, the IronKey also offers a Virtual Keyboard (Windows only) which appears on screen, to further prevent against key loggers and even screen loggers as keys on the virtual keyboard can be randomized after each use. And, it even has its own Password Generator to help you generate long and complex passwords with relative ease.

Currently, IronKey only ships to the United States. However if you don’t reside here you can find an international reseller by clicking here.

In conclusion, you can see that this is much more than just a straight forward USB flash drive, as it goes beyond this and offers features that are not matched to any other USB flash drive on the market. Ok, so maybe it’s a bit over the top for the average user, but if you value your data and the level of security on offer here and can benefit from using the vast array of features, then the IronKey is definitely the flash drive for you.

However, with all this research and development into creating this ultimate flash drive comes great cost to the end user and the IronKey does not come cheap. With the 1Gb S200 key starting at $79.00 with the top end 32Gb D200 key priced at $299.00 you really have to ask yourself, are you prepared to spend that extra money for the peace of mind it can offer??

And, in addition to all of this, the DoD (Department of Defense) has lifted a 15 month restriction on the use of portable devices and has approved IronKey as the device to be used by all Defense personnel.

Don’t be dazzled by the secure browsing aspect of this device. Once the the signal leaves the Tor network it is as vulnerable as if you weren’t using Tor at all, only your IP is protected.

The other “weakness” of this, and all secure devices of the same type, is that once the password is entered and the drive is active, if the machine has been compromised, malicious code can access the data. They go through a lot of trouble to stop key loggers and such, but if the machine has already been compromised when you insert that key, you’re in for a world of hurt.

I have an Ironkey flash drive, and it’s great; but I’ve switched to the Kingston DataTraveler Locker+ (the “+” distinguishes it from the less secure DataTraveler Locker). It has 256-bit hardware based encryption, mandatory complex password, lock down/reformat after 10 intrusion attempts, and works with Mac OS X. It doesn’t have the online and software add-ons, and isn’t quite as rugged, but it starts at about $20 online for a 4GB drive. I got a 32GB version for $117; half the price of the comparable Ironkey. It’s a much better buy for most users.

Uh, the real problem with these devices is that if you forget your password, or it fails to recognize your password, you have yourself a really dandy $60 waste of time. There is no back door to iron keys, that means if you only use it infrequently (as a backup?) you had better write your password down. Most of us don’t have scaly foreign agents trying to lift our usb drives. A regular drive, encrypted, is a much better value and a lot faster and easier to use.

Well, I’ve always figured that the use case for an Iron Key is “Only on the Key, never on the Hard disk” so remembering your password shouldn’t be too big a problem. But if you do have foreign agents on your tail, it is quite possible that they have to tech need to chop through one of these. I’m sure that NSA level organizations have enough tricks up their sleeves to bypass one of these if they have the incentive.

@prentiss If you did forget your password (I probably would!) you can use the password backup tool that allows you to effectively store your keys password with IronKey, which is held on a secure server. You can recover the password even without the key, as long as you remember your login details for the site that is! 🙂

NOTE: I’ve used Fire Fox and I.K ver1.0 to current revision and they all share some sort of instability issue with my FF sessions. just me though. if it had more robust features like roboform and Sync Toy built in, it would be great, other wise your going to sync manually (not backup) i mean regular synchronization.

I’ve used an IronKey for over a year, and love it. I have the older “S100” model. The problem with it being so tough, is that I can’t justify buying the new one, since they provide free software updates the old one is doing just fine.

Burzmali,

Can you please explain your comment about the Tor network?
I am a fan of using their Secure Sessions. My connection (as I understand it) is using SSL to get to the IronKey network, and then goes through 3 hops and then to a website. Since my bank is using SSL there is no danger. Sure a ‘normal’ website such as the-gadgeteer would have an unencrypted connection between their server and the IronKey network…but that exists for every user of this site, and is hardly a threat.

Am I missing something?

Paul – It’s time for you to step up to an IronKey. A backdoor was revealed about 2 months ago, for most Kingston encrypted drives. It may not be applicable to all of the products, but that’s enough to prove to me that they don’t know what they are doing when it comes to security.

The Kingston DataTraveler Locker+ is NOT one of the compromised drive (source: Ironkey website – https://www.ironkey.com/usb-flash-drive-flaw-exposed). The hack affected three of nine models that Kingston has sold over the last three years, not most of their drives. And to be fair, Kingston has recalled and is offering replacements for all the hacked drives. I’m not trying to be a Kingston apologist. As I said, I think Ironkey drives are great, but there are less expensive alternatives for people who aren’t in the espionage trade.

@Double Agent Yeah, I did hear about the Kingston hacks back in January. They say it didn’t affect any of the ‘+’ versions though, although the versions that were affected still had 256 bit AES and FIPS level 2. (Compared the the level 3 from the I.K.)

In terms of cost, Kingston are cheaper, but the I.K. is way ahead when it comes to technology.

@Graham Law Enforcement and Rescue Services are big users of IronKeys. I carry quite a bit of data around with me that needs to remain secure. Its not “Double Top Secret” but it is nice to have case data with me when I need it, especially when working with other agencies in the field. I think it is prudent that I secure the data in the best way that I can.

I would also recommend that you get the IK laser engraved with an identifiable name. We chose the name of common tree names so that we can identify one key from the other but not give away our identify should it become lost.

@Double Agent
It all depends on how IK has things setup. I am assuming that it works one of two ways, either by using a standard Tor approach with an Iron Key exit node or you connect to IK and then onto the Tor network. In case 1, IK and anyone positioned after the data left the IK would be able to access any unencrypted information. In case 2, IK would have access to all your data and whoever was running the exit point would be in a position to attack your SSL connection to the bank.

I use Iron Key for all my banking, credit cards and investment accounts. There is nothing better and you can sleep at night. I travel a lot so its nice not to have to take a lap top on the plane. Pictures etc are left to the cheaper flash drives, only I care about the crazy pictures of my kids and grandkids.
When you limit the information to sensitive accounts one does not need a large storage.

if your main concern is the security of your usb drive’s files, then the ironkey should satisfy your needs. however, if anonymous internet browsing via the secure sessions feature is what you are mainly after (as i was), forget this product and look elsewhere. secure sessions is extremely buggy and, more often than not, it stops working after 5-10 minutes. when it stops working, the “fix” supplied by ironkey involves:

this tedious 5-10 minute process will usually get you about another 5-10 minutes of secure browsing before secure sessions stops working again. after going through this numerous times, i just gave up and stopped using secure sessions all together. it is too unstable and unpredictable.

to be fair, there were occasionally days in which secure sessions worked for many hours without a hitch, but these days were the rare exception rather than the rule. furthermore, ironkey support was totally useless for remedying this problem. aside from the laborious fix described above, they were essentially dumbfounded.

i was extremely disappointed with this product and, in hindsight, wish i’d saved the ~$299 and just bought a subscription to astrill, hidemyass.com, or any one of the other available proxy services that cost far less money (and work!).

We have been selling the IronKey product line for a few years now. I use the 16GB Personal device (S200, high speed memory stick) and I could not live without it. The password management aspect of this unit is worth its weight in gold! All I have to know is one password to unlock all my sites.
And yes, securing my mobile data is also great!!
Highly recommended to anyone that travels on the road with data (both personal or business)

Good day. I came across Iron key and I just wanted to know if there is any flash drive that comes close to it or does the government have a better one?
I also found out that if you lose your Iron key the information can be transferred to another Iron key.
With that said, It must be stored somewhere. The introduction video said that not even employees can access the information. But can the company in general or the government especially with The Privacy act now in full swing access information in the Iron key?

Integral and SanDisk both produce USB sticks with FIPS 140-2 AES 256 Bit Encryption, however they’re roughly the same price, depending on where you get them from.

However, if you have a look around (Ebay etc) you can get the IronKey for around £30 ($50) for the 1GB version…. not bad.

The data that you store on the key is held in the IronKey vault, of which nobody (apparently) had access too. Obviously, I don’t work for IronKey, so I can’t say that nobody has access to this data, however they do say it’s very secure and yes, you can transfer it to another stick, if you accidentally lose one.

Since doing the review I’ve used the IronKey numerous times for data storage, backups and secure browsing and not encountered a single issue.

I love how people here are bashing the most secure flash drive in the world. do you have a better product? do you have a more secure product? no? I didn’t think so. you can be quiet now, thanks…. the adults are talking.

As a principle, encryption software which originates from the U.S. should be avoided. The problem with IronKey is compounded by the fact the the encryption algorithm cannot be peer reviewed – a substantial drawback. I use a regular USB drive and encrypt volumes according to data category using BestCrypt and an algorithm of my choice (IDEA, by the way). IMHO, IronKey provides a false & expensive sense of security. My solution costs me some $30 for a 32GB memory stick.

I like the concept of the IronKey and they do a lot to provide an attractive “all-in-one” solution.

However, if you are willing to do a little bit of googling and watch some howtos on youtube, you can do almost all of this by yourself with free software and a regular flash drive (and the result is just as simple to use.)

Google the following: portableapps, truecrypt, “truecrypt traveler mode”. The only limitation with the free route is that you need admin rights on whatever computer you are using in order to decrypt the volume… Unless of course you use FreeOTFE for your encryption instead.

Logan, you are just an idiot. Honestly “avoid any encryption from the US”…. seriously, do you have a shred of evidence to support your claim, or are you just biased because you hate America? Have you ever heard of an IK being hacked? I didn’t think so.

John, you are so wrong it’s embarrassing. You can’t hack any device out there to come even close to the IK. Can you get a drive to self destruct? Yeah, I didn’t think so.

Fact is.. (emphasis on the word FACT)… none of you can provide a shred of proof to support your hateful, ignorant, biased, uneducated, unfounded claims. Some of you are security experts, and I don’t any of you have any real education or experience in the computer field. I happen to have both, and I am giving you my professional opinion (which is a lot more than any of you can give) when I tell you that the IK is the most secure flash drive in the world.

If any of you dimwits want to argue that, you better have hard evidence to support you. Enough of the bullshit opinions with no real substance. The fact is, no IK has ever been defeated. If you can prove otherwise, then make your claim. Otherwise, shut the hell up and stop bashing a great product. Losers.

Brian Bell: First of all, thanks for flaming me on this forum. What I notice (also includes Amazon) is that IK critical reviewers are very often flamed in an aggressive way. It seems, IK proponents just cannot articulate why exactly they think the IK is as secure as they believe it is. Re avoiding encryption (and BTW also data erasure) software from the U.S.: That has noting to do at all with hating the U.S. This is a rather childish insinuation. People of my age know what we owe to the U.S.! It really is quite well known that you just avoid U.S. (and also “European Community” states) encryption software, since it is assumed that software from those countries always has backdoors. We said that already back 20 years ago… It all started when the PGP discarded the IDEA algorithm, arguably the safest one, developed by Ascom from Switzerland. Also, do you really believe it would be published if an IK were hacked… ?!

I saw a metal flash drive and was intrigued for about ten seconds until I realized that the mechanical design is fundamentally flawed.

Crush tests are a poor way to determine if something is robust. You could run over just about any flash drive with a car and the plastic case *might* crack, but the device would likely still work. Most real-world electronics failures, however, are caused over the long term, and by flexing, not crushing.

Like about 80% of the other flash drives on the market, this drive cannot possibly handle flexing well due to the way the cap was designed. The cap is held on by the USB connector itself and does not overlap the rest of the case to prevent flexing at the joint where the cap presses against the end of the body. Therefore, when you flex this thing, you are putting stress directly on the connector. Over time, this will inevitably cause premature failure of the device, usually suddenly and catastrophically.

On some other companies’ drives with a similar cap design, I’ve seen somewhere close to an 80% failure rate in the first six months due, as best I can tell, to stress fractures at the USB connector. After that experience, I won’t touch any flash drives with such a design. No design in which the cap is held on by the connector itself can possibly be robust in any true sense of the word.

Using the USB connector to hold the cap is like carrying your laptop around by the power cord. It’s just a really bad idea. 🙂

@Logan: First, while I disagree with your opinion, I’m sorry to see that you were treated so shamefully by someone offering nothing more than proof by intimidation. It is not how a real “security expert” would have responded to your question.

I’m not sure what you are getting at with your comment. The IronKey, as described in the specs, uses AES-256 in CBC mode for encryption. AES uses Rijndael as the encryption cipher, which was created by two Belgian cryptographers. IDEA was patent-protected, which would make it less open. Why is that a better choice? Besides which, PGP uses IDEA so I think your point is rather false.

For those who think that TrueCrypt or BestCrypt offer the same level of protection: they are great products, but the encryption happens on your desktop. If the desktop is compromised by a malware then those programs are also compromised, as is any data protected by them. The Ironkey’s crypto hardware is on the drive, where it can’t be attacked.

Finally, are you claiming a conspiracy within academic cryptography circles where the top crypto minds are keeping quiet on what they know to be vulnerabilities in cryptographic designs and implementations?

That automatically signs in with a your encrypted password of up to 64 characters. So that there is no vulnerability to dictionary attacks and brute force attack.

Use the IronKey with for eg TrueCrypt containers that have the maximum password complexity possible, then use IronKey memory to access these containers.
IK generates random passwords, or use a transformation method to create (and recover) a random password.

Use IK to secure the Word / text files. And use encryption containers / drives for pics, films and whatever.

On 12th Jan. 2011, I wrote that “as a principle, encryption software which originates from the U.S. should be avoided”. After having be called an idiot by Brian Bell (11th Feb. 2011), I added that of course encryption software from the “European Community” (above all from “Germany”) also should be avoided. I guess, my statements have been fully vindicated by now…